Email Domain Security Checker (SPF/DKIM/DMARC)

[DerHerrFeldmann]

Idea

Add an API endpoint that checks the email security posture of a domain by inspecting its DNS records: SPF, DMARC, and optionally common DKIM selectors.

WordPress sites send transactional mail (contact forms, WooCommerce orders, password resets) — misconfigured DNS is one of the most common reasons these end up in spam.

Endpoint proposal

GET /api/mailsec.php?domain=example.com

Checks

Record	What to verify
SPF (TXT @ v=spf1 …)	Present, has ~all or -all, not too permissive
DMARC (TXT _dmarc …)	Present, policy is quarantine or reject (not none)
DKIM	Probe common selectors (default, google, mail, k1) for a TXT record

Response shape (sketch)

{
  "domain": "example.com",
  "spf":   { "present": true,  "record": "v=spf1 include:sendgrid.net ~all", "valid": true },
  "dmarc": { "present": true,  "record": "v=DMARC1; p=quarantine; rua=mailto:...", "policy": "quarantine" },
  "dkim":  { "present": false, "selectors_probed": ["default", "google", "mail", "k1"] }
}

Notes

• Uses dns_get_record() — no external API, no key needed
• Domain validation same as headers checker (no internal IPs, no path traversal)
• Short-lived cache (e.g. 10 min) since DNS TTLs are typically low
• DKIM detection is best-effort; only well-known selectors can be probed without prior knowledge